How can I issue a CA certificate with openssl so that it is automatically imported into Trusted Root Certification Authorities?

K

krosh2017-08-22 08:54:57

System administration

krosh, 2017-08-22 08:54:57

We use openssl to generate self-signed certificates.
Users themselves import the certificate into the system and sometimes the storage is mistaken.
I would like to generate a CA certificate so that when it is imported into Windows, the user does not have to select a store and at the same time it is installed in the "Trusted Root Certification Authorities" (user or system is not very important now).
The certificate that we use now is automatically imported into the "Intermediate Certification Authorities" store, and after that, personal certificates are considered untrusted.
UPD1. The essence of the question is how to understand the logic of the standard certificate import wizard in Windows? Based on what fields and properties of the certificate does it determine the store?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

C

chupasaurus, 2017-08-22
@chupasaurus

Import-Certificate Cmdlet

M

Maxim Grishin, 2017-08-22
@vesper-bot

Manual import will not work automatically, but group policy will. There is no group policy - write a batch file for import to it.

M

Mikhail Grigoriev, 2017-10-05
@Sleuthhound

If the PC is not in the AD domain, then you can import certificates using the certutil.exe utility (in the archive version 2 of the utility, this utility is included in CryptoPro and WindowsSDK)
or

certutil.exe -f -user -addstore CA myCAcertFile.cer